Menu
Home Explore People Places Arts History Plants & Animals Science Life & Culture Technology
On this page
Spring Security

Spring Security is a Java/Java EE framework that provides authentication, authorization and other security features for enterprise applications. The project was started in late 2003 as 'Acegi Security' (pronounced Ah-see-gee /ɑːsiːdʒiː/, whose letters are the first, third, fifth, seventh, and ninth characters from the English alphabet, in order to prevent name conflicts) by Ben Alex, with it being publicly released under the Apache License in March 2004. Subsequently, Acegi was incorporated into the Spring portfolio as Spring Security, an official Spring sub-project. The first public release under the new name was Spring Security 2.0.0 in April 2008, with commercial support and training available from SpringSource.

We don't have any images related to Spring Security yet.
We don't have any YouTube videos related to Spring Security yet.
We don't have any PDF documents related to Spring Security yet.
We don't have any Books related to Spring Security yet.
We don't have any archived web articles related to Spring Security yet.

Authentication flow

Diagram 1 shows the basic flow of an authentication request using the Spring Security system. It shows the different filters and how they interact from the initial browser request, to either a successful authentication or an HTTP 403 error.

Browser submits "authentication credentials"
"Authentication mechanism" collects the details
An "authentication request" object is built
Authentication request sent to an AuthenticationManager
AuthenticationManager (this is responsible for passing requests through a chain of AuthenticationProviders)
"Authentication provider" will ask a UserDetailsService to provide a UserDetails object
The resultant UserDetails object (which also contains the GrantedAuthority[]s) will be used to build the fully populated Authentication object.
If "Authentication mechanism" receives back the fully populated Authentication object, it will deem the request valid, put the Authentication into the SecurityContextHolder; and cause the original request to be retried.If, on the other hand, the AuthenticationProvider rejected the request, the authentication mechanism will ask the user agent to retry.
AbstractSecurityInterceptor authorizes the regenerated request and throws Java exceptions. (Asks AccessDecisionManager for decision.)
ExceptionTranslationFilter translates the exceptions thrown by AbstractSecurityInterceptor into HTTP related error codes
Error code 403 – if the principal has been authenticated and therefore simply lacks sufficient accessLaunch an AuthenticationEntryPoint – if the principal has not been authenticated which is an authentication mechanism

Key authentication features

  • LDAP (using both bind-based and password comparison strategies) for centralization of authentication information.2: 358–362, §7-3 
  • Single sign-on capabilities using the popular Central Authentication Service.
  • Java Authentication and Authorization Service (JAAS) LoginModule, a standards-based method for authentication used within Java. Note this feature is only a delegation to a JAAS Loginmodule.3
  • Basic access authentication as defined through RFC 1945.
  • Digest access authentication4: 356–358, §7-3  as defined through RFC 2617 and RFC 2069.
  • X.509 client certificate presentation over the Secure Sockets Layer standard.
  • CA, Inc SiteMinder for authentication (a popular commercial access management product).
  • Su (Unix)-like support for switching principal identity over a HTTP or HTTPS connection.
  • Run-as replacement, which enables an operation to assume a different security identity.
  • Anonymous authentication, which means that even unauthenticated principals are allocated a security identity.
  • Container adapter (custom realm) support for Apache Tomcat, Resin, JBoss and Jetty (web server).
  • Windows NTLM to enable browser integration (experimental).
  • Web form authentication, similar to the servlet container specification.
  • "Remember-me" support via HTTP cookies.
  • Concurrent session support, which limits the number of simultaneous logins permitted by a principal.
  • Full support for customization and plugging in custom authentication implementations.

Key authorization features

Instance-based security features

  • Used for specifying access control lists applicable to domain objects.
  • Spring Security offers a repository for storing, retrieving, and modifying ACLs in a database.5: 376–381, §7-7 
  • Authorization features are provided to enforce policies before and after method invocations.

Other features

  • Software localization so user interface messages can be in any language.
  • Channel security, to automatically switch between HTTP and HTTPS upon meeting particular rules.
  • Caching in all database-touching areas of the framework.
  • Publishing of messages to facilitate event-driven programming.
  • Support for performing integration testing via JUnit.
  • Spring Security itself has comprehensive JUnit isolation tests.
  • Several sample applications, detailed JavaDocs and a reference guide.
  • Web framework independence.

Releases

  • 2.0.0 (April 2008)
  • 3.0.0 (December 2009)
  • 3.1.0 (December 7, 2011)
  • 3.1.2 (August 10, 2012)
  • 3.2.0 (December 16, 2013)
  • 4.0.0 (March 26, 2015)
  • 4.1.3 (August 24, 2016)
  • 4.2.0 (November 10, 2016)
  • 3.2.10, 4.1.4, 4.2.1 (December 22, 2016)
  • 4.2.2 (March 2, 2017)
  • 4.2.3 (June 8, 2017)
  • 5.0.0 (November 28, 2017)
  • 5.0.8, 4.2.8 (September 11, 2018)6
  • 5.1.0 GA (September 27, 2018)7
  • 5.1.1, 5.0.9, 4.2.9 (October 16, 2018)8
  • 5.1.2, 5.0.10, 4.2.10 (November 29, 2018)9
  • 5.1.3, 5.0.11, 4.2.11 (January 11, 2019)10
  • 5.1.4 (February 14, 2019)11
  • 5.1.5, 5.0.12, 4.2.12 (April 3, 2019)12

Citations

  • Deinum, Marten; Rubio, Daniel; Long, Josh; Mak, Gary (September 1, 2014). Spring Recipes: A Problem-Solution Approach (Second ed.). Apress. p. 1104. ISBN 978-1-4302-2499-0.
  • "Why the name Acegi?". spring.io.

References

  1. "Why the name Acegi?". spring.io. https://spring.io/blog/2007/01/25/why-the-name-acegi

  2. Deinum et al. 2014. - Deinum, Marten; Rubio, Daniel; Long, Josh; Mak, Gary (September 1, 2014). Spring Recipes: A Problem-Solution Approach (Second ed.). Apress. p. 1104. ISBN 978-1-4302-2499-0.

  3. "Master OAuth: How To Build a Secure Authorization Server". December 29, 2024. https://authorization.news/master-oauth-how-to-build-a-secure-authorization-serverpart-ii/

  4. Deinum et al. 2014. - Deinum, Marten; Rubio, Daniel; Long, Josh; Mak, Gary (September 1, 2014). Spring Recipes: A Problem-Solution Approach (Second ed.). Apress. p. 1104. ISBN 978-1-4302-2499-0.

  5. Deinum et al. 2014. - Deinum, Marten; Rubio, Daniel; Long, Josh; Mak, Gary (September 1, 2014). Spring Recipes: A Problem-Solution Approach (Second ed.). Apress. p. 1104. ISBN 978-1-4302-2499-0.

  6. "Spring Security 5.0.8 and 4.2.8 Released". spring.io. Retrieved 2019-06-09. https://spring.io/blog/2018/09/11/spring-security-5-0-8-and-4-2-8-released

  7. "Spring Security 5.1 goes GA". spring.io. Retrieved 2019-06-09. https://spring.io/blog/2018/09/27/spring-security-5-1-goes-ga

  8. "Spring Security 5.1.1, 5.0.9, and 4.2.9 Released". spring.io. Retrieved 2019-06-09. https://spring.io/blog/2018/10/16/spring-security-5-1-1-5-0-9-and-4-2-9-released

  9. "Spring Security 5.1.2, 5.0.10, 4.2.10 Released". spring.io. Retrieved 2019-06-09. https://spring.io/blog/2018/11/29/spring-security-5-1-2-5-0-10-4-2-10-released

  10. "Spring Security 5.1.3, 5.0.11, 4.2.11 Released". spring.io. Retrieved 2019-06-09. https://spring.io/blog/2019/01/11/spring-security-5-1-3-5-0-11-4-2-11-released

  11. "Spring Security 5.1.4 Released". spring.io. Retrieved 2019-06-09. https://spring.io/blog/2019/02/14/spring-security-5-1-4-released

  12. "Spring Security 5.1.5, 5.0.12, 4.2.12 Released". spring.io. Retrieved 2019-06-09. https://spring.io/blog/2019/04/03/spring-security-5-1-5-5-0-12-4-2-12-released